Secure testing team - May 2008 - Bug#479276: [lighttpd] New configuration executes scripts outside of /cgi-bin/

Package: lighttpd
Version: 1.4.19-2
Severity: important
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---
The new configuration included with lighttpd contains the following
lines:

-----snip-----
cgi.assign      = (
  ".pl"  => "/usr/bin/perl",
  ".php" => "/usr/bin/php-cgi",
  ".py"  => "/usr/bin/python",
)
-----snap-----

These lines make it possible for scripts outside of /cgi-bin/ and w/o
exec permission to be executed by their respective (according to the
mapping) interpreters. Most likely the scripts will show some errors
like the following in the error log:

-----snip-----
Traceback (most recent call last):
File "/<path>/<file>.py", line 12, in <module>
import wx, math, time
ImportError: No module named wx
-----snap-----

Which is one of my scripts I hosted within my data files - i do not
have any cgi''s for that matter.

Please correct the 10-cgi.conf in conf-available/ to a safe default.

Cheers, Marcus

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.24-1-686

Debian Release: lenny/sid
  500 unstable        ftp.de.debian.org 
  500 unstable        deb.opera.com 
    1 experimental    ftp.de.debian.org 

--- Package information. ---
Depends                            (Version) | Installed
============================================-+-=============libattr1            
(>= 2.4.41-1) | 1:2.4.41-1
libbz2-1.0                                   | 1.0.5-0.1
libc6                             (>= 2.7-1) | 2.7-10
libfam0                                      | 
libldap-2.4-2                     (>= 2.4.7) | 2.4.7-6.1
libpcre3                            (>= 7.4) | 7.6-2
libssl0.9.8                    (>= 0.9.8f-5) | 0.9.8g-8
libterm-readline-perl-perl                   | 1.0302-1
lsb-base                          (>= 3.0-3) | 3.2-12
mime-support                                 | 3.40-1.1
zlib1g                          (>= 1:1.1.4) | 1:1.2.3.3.dfsg-12


-- 
/* name>Marcus Fritzsch   www>fritschy.de   gnupg>98A1D365  
icq>53118621
jabber>fritschy at jabber.ap-wdsl.de  /-------------------------------------
----------------------------------/  */s(c,t){return
isalpha(c)&&t?s(65-c
        
&&97-c?c-1:c+25,t-1):c;}main(){for(;;)putchar(s(getchar(),13));}

severity 479276 normal
tag 479276 - security
thanks

On Sun, May 04, 2008 at 02:56:35AM +0000, Marcus Fritzsch
wrote:
> Package: lighttpd
> Version: 1.4.19-2
> Severity: important
> Tags: security
> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
> 
> --- Please enter the report below this line. ---
> The new configuration included with lighttpd contains the following
> lines:
Files in conf-available are snipplets meant to be adapted to your needs.
Those are not enabled by default hence it''s *not* a security issue, as
administrators are supposed to read what they activate.

Though I''ll quote that part in a future upload. But I see no urgency to
it yet.

-- 
?O?  Pierre Habouzit
??O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080504/928d46ae/attachment.pgp